Skip to content

Commit ef500c2

Browse files
ColtonWilleyColtonWilley
committed
Add new option to always copy cert buffer for each SSL object
1 parent 9f9e890 commit ef500c2

4 files changed

Lines changed: 99 additions & 0 deletions

File tree

src/internal.c

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6803,9 +6803,39 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
68036803
#endif /* HAVE_RPK */
68046804

68056805
#ifndef NO_CERTS
6806+
#ifdef WOLFSSL_COPY_CERT
6807+
/* If WOLFSSL_COPY_CERT is defined, always copy the cert */
6808+
if (ctx->certificate != NULL) {
6809+
if (ssl->buffers.certificate != NULL) {
6810+
FreeDer(&ssl->buffers.certificate);
6811+
}
6812+
ret = AllocCopyDer(&ssl->buffers.certificate, ctx->certificate->buffer,
6813+
ctx->certificate->length, ctx->certificate->type,
6814+
ctx->certificate->heap);
6815+
if (ret != 0) {
6816+
return ret;
6817+
}
6818+
6819+
ret = WOLFSSL_SUCCESS;
6820+
}
6821+
if (ctx->certChain != NULL) {
6822+
if (ssl->buffers.certChain != NULL) {
6823+
FreeDer(&ssl->buffers.certChain);
6824+
}
6825+
ret = AllocCopyDer(&ssl->buffers.certChain, ctx->certChain->buffer,
6826+
ctx->certChain->length, ctx->certChain->type,
6827+
ctx->certChain->heap);
6828+
if (ret != 0) {
6829+
return ret;
6830+
}
6831+
6832+
ret = WOLFSSL_SUCCESS;
6833+
}
6834+
#else
68066835
/* ctx still owns certificate, certChain, key, dh, and cm */
68076836
ssl->buffers.certificate = ctx->certificate;
68086837
ssl->buffers.certChain = ctx->certChain;
6838+
#endif
68096839
#ifdef WOLFSSL_TLS13
68106840
ssl->buffers.certChainCnt = ctx->certChainCnt;
68116841
#endif

src/ssl.c

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10806,6 +10806,11 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
1080610806
return BAD_FUNC_ARG;
1080710807
}
1080810808

10809+
#ifdef WOLFSSL_COPY_CERT
10810+
/* If WOLFSSL_COPY_CERT defined, always free cert buffers in SSL obj */
10811+
FreeDer(&ssl->buffers.certificate);
10812+
FreeDer(&ssl->buffers.certChain);
10813+
#endif
1080910814
if (ssl->buffers.weOwnCert && !ssl->keepCert) {
1081010815
WOLFSSL_MSG("Unloading cert");
1081110816
FreeDer(&ssl->buffers.certificate);
@@ -19549,6 +19554,11 @@ void wolfSSL_certs_clear(WOLFSSL* ssl)
1954919554
/* ctx still owns certificate, certChain, key, dh, and cm */
1955019555
if (ssl->buffers.weOwnCert)
1955119556
FreeDer(&ssl->buffers.certificate);
19557+
#ifdef WOLFSSL_COPY_CERT
19558+
/* If WOLFSSL_COPY_CERT defined, always free cert buffers in SSL obj */
19559+
FreeDer(&ssl->buffers.certificate);
19560+
FreeDer(&ssl->buffers.certChain);
19561+
#endif
1955219562
ssl->buffers.certificate = NULL;
1955319563
if (ssl->buffers.weOwnCertChain)
1955419564
FreeDer(&ssl->buffers.certChain);
@@ -20151,9 +20161,39 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
2015120161
ssl->ctx = ctx;
2015220162

2015320163
#ifndef NO_CERTS
20164+
#ifdef WOLFSSL_COPY_CERT
20165+
/* If WOLFSSL_COPY_CERT defined, always make new copy of cert */
20166+
if (ctx->certificate != NULL) {
20167+
if (ssl->buffers.certificate != NULL) {
20168+
FreeDer(&ssl->buffers.certificate);
20169+
}
20170+
ret = AllocCopyDer(&ssl->buffers.certificate, ctx->certificate->buffer,
20171+
ctx->certificate->length, ctx->certificate->type,
20172+
ctx->certificate->heap);
20173+
if (ret != 0) {
20174+
return NULL;
20175+
}
20176+
20177+
ret = WOLFSSL_SUCCESS;
20178+
}
20179+
if (ctx->certChain != NULL) {
20180+
if (ssl->buffers.certChain != NULL) {
20181+
FreeDer(&ssl->buffers.certChain);
20182+
}
20183+
ret = AllocCopyDer(&ssl->buffers.certChain, ctx->certChain->buffer,
20184+
ctx->certChain->length, ctx->certChain->type,
20185+
ctx->certChain->heap);
20186+
if (ret != 0) {
20187+
return NULL;
20188+
}
20189+
20190+
ret = WOLFSSL_SUCCESS;
20191+
}
20192+
#else
2015420193
/* ctx owns certificate, certChain and key */
2015520194
ssl->buffers.certificate = ctx->certificate;
2015620195
ssl->buffers.certChain = ctx->certChain;
20196+
#endif
2015720197
#ifdef WOLFSSL_TLS13
2015820198
ssl->buffers.certChainCnt = ctx->certChainCnt;
2015920199
#endif

src/ssl_load.c

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -236,6 +236,9 @@ static int ProcessUserChainRetain(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
236236
/* Store in SSL object if available. */
237237
if (ssl != NULL) {
238238
/* Dispose of old chain if not reference to context's. */
239+
#ifdef WOLFSSL_COPY_CERT
240+
FreeDer(&ssl->buffers.certChain);
241+
#endif
239242
if (ssl->buffers.weOwnCertChain) {
240243
FreeDer(&ssl->buffers.certChain);
241244
}
@@ -2079,6 +2082,10 @@ static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
20792082
/* Leaf certificate - our certificate. */
20802083
else if (type == CERT_TYPE) {
20812084
if (ssl != NULL) {
2085+
#ifdef WOLFSSL_COPY_CERT
2086+
/* Always Free previously set if WOLFSSL_COPY_CERT defined */
2087+
FreeDer(&ssl->buffers.certificate);
2088+
#endif
20822089
/* Free previous certificate if we own it. */
20832090
if (ssl->buffers.weOwnCert) {
20842091
FreeDer(&ssl->buffers.certificate);
@@ -4560,6 +4567,10 @@ static int wolfssl_add_to_chain(DerBuffer** chain, int weOwn, const byte* cert,
45604567
c32to24(certSz, newChain->buffer + len);
45614568
XMEMCPY(newChain->buffer + len + CERT_HEADER_SZ, cert, certSz);
45624569

4570+
#ifdef WOLFSSL_COPY_CERT
4571+
FreeDer(chain);
4572+
#endif
4573+
45634574
/* Dispose of old chain if we own it. */
45644575
if (weOwn) {
45654576
FreeDer(chain);

tests/api.c

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77291,9 +77291,18 @@ static int test_wolfSSL_set_SSL_CTX(void)
7729177291
#ifdef WOLFSSL_SESSION_ID_CTX
7729277292
ExpectIntEQ(XMEMCMP(ssl->sessionCtx, session_id2, 4), 0);
7729377293
#endif
77294+
#ifdef WOLFSSL_COPY_CERT
77295+
if (ctx2->certificate != NULL) {
77296+
ExpectFalse(ssl->buffers.certificate == ctx2->certificate);
77297+
}
77298+
if (ctx2->certChain != NULL) {
77299+
ExpectFalse(ssl->buffers.certChain == ctx2->certChain);
77300+
}
77301+
#else
7729477302
ExpectTrue(ssl->buffers.certificate == ctx2->certificate);
7729577303
ExpectTrue(ssl->buffers.certChain == ctx2->certChain);
7729677304
#endif
77305+
#endif
7729777306

7729877307
#ifdef HAVE_SESSION_TICKET
7729977308
ExpectIntNE((wolfSSL_get_options(ssl) & SSL_OP_NO_TICKET), 0);
@@ -77310,8 +77319,17 @@ static int test_wolfSSL_set_SSL_CTX(void)
7731077319
#endif
7731177320
/* MUST change */
7731277321
#ifdef WOLFSSL_INT_H
77322+
#ifdef WOLFSSL_COPY_CERT
77323+
if (ctx1->certificate != NULL) {
77324+
ExpectFalse(ssl->buffers.certificate == ctx1->certificate);
77325+
}
77326+
if (ctx1->certChain != NULL) {
77327+
ExpectFalse(ssl->buffers.certChain == ctx1->certChain);
77328+
}
77329+
#else
7731377330
ExpectTrue(ssl->buffers.certificate == ctx1->certificate);
7731477331
ExpectTrue(ssl->buffers.certChain == ctx1->certChain);
77332+
#endif
7731577333
#ifdef WOLFSSL_SESSION_ID_CTX
7731677334
ExpectIntEQ(XMEMCMP(ssl->sessionCtx, session_id1, 4), 0);
7731777335
#endif

0 commit comments

Comments
 (0)